Full Report
Popular artificial intelligence (AI)-powered Microsoft Visual Studio Code (VS Code) forks such as Cursor, Windsurf, Google Antigravity, and Trae have been found to recommend extensions that are non-existent in the Open VSX registry, potentially opening the door to supply chain risks when bad actors publish malicious packages under those names. The problem, according to Koi, is that these
Analysis Summary
# Vulnerability: Unclaimed Extension Namespace Hijacking in VS Code Forks via Open VSX
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided in the text.
- CWE: CWE-264 (Permissions, Privileges, and Access Controls) or potentially CWE-829 (Inclusion of Functionally Equivalent but Non-Identical Dependencies) related to supply chain integrity.
## Affected Systems
- Products: AI-powered Microsoft Visual Studio Code (VS Code) forks, specifically named: **Cursor, Windsurf, Google Antigravity, and Trae**.
- Versions: Not specified, but pertains to the configuration where these forks recommend extensions based on Microsoft's marketplace extensions that are missing/unclaimed in the **Open VSX registry**.
- Configurations: Occurs when the IDEs recommend extensions based on features or installed software (file-based or software-based recommendations) that point to non-existent namespaces on Open VSX.
## Vulnerability Description
VS Code forks (like Cursor, Windsurf, etc.) inherit extension recommendation lists from Microsoft's marketplace. Several of these recommended extensions refer to namespaces on the Open VSX registry that were unclaimed. This vulnerability allowed an attacker to register a malicious package under a legitimate, expected namespace (e.g., `ms-ossdata.vscode-postgresql`). When a developer opens a relevant file or has matching software installed, the fork recommends the extension; installing it downloads the malicious code from Open VSX, leading to supply chain compromise. This trust mechanism allowed for the deployment of rogue extensions that could steal credentials, secrets, and source code.
## Exploitation
- Status: Successfully demonstrated. Koi claimed to have published a placeholder PostgreSQL extension (`ms-ossdata.vscode-postgresql`) which attracted over **500 installs**, indicating successful exploitation of the mechanism by researchers/potentially actors.
- Complexity: Low (Attacker only needs to claim an unclaimed Open VSX namespace).
- Attack Vector: Adjacent (Requires the user to interact with the IDE's recommendation prompt).
## Impact
- Confidentiality: High (Potential theft of credentials, secrets, and source code).
- Integrity: High (Malicious code execution via rogue extension installation).
- Availability: Medium (Potential degradation or disruption caused by the malicious extension's activities).
## Remediation
### Patches
- **Cursor**: Patches have been rolled out following responsible disclosure. (Specific version details not provided).
- **Google Antigravity**: Patches have been rolled out following responsible disclosure. (Specific version details not provided).
- **Eclipse Foundation (Open VSX)**: Enforced broader registry-level safeguards and removed non-official contributors accessing the registry.
### Workarounds
- Developers must exercise caution prior to downloading any packages or approving installs by **verifying they come from a trusted publisher**, despite the IDE recommendation.
## Detection
- **Indicators of Compromise**: Attempts to install extensions corresponding to namespaces previously identified as being targeted (e.g., `ms-ossdata.vscode-postgresql`, `ms-azure-devops.azure-pipelines`, etc.) without explicit user verification of the source.
- **Detection methods and tools**: Monitor extension installation requests originating from the affected IDE forks and cross-reference the publisher and namespace against known legitimate sources, especially for extensions recommended through automated prompts.
## References
- Vendor Advisory Source (Koi Research): hxxps://www.koi.ai/blog/how-we-prevented-cursor-windsurf-google-antigravity-from-recommending-malware
- News Article: hxxps://thehackernews.com/2026/01/vs-code-forks-recommend-missing.html